How is CVE-2026-36670 exploited?

Network reachability (required): The vulnerable endpoint in alias_management.php is exposed over the network, so an attacker must be able to reach the OpenSIPS Control Panel service via HTTP/HTTPS. Authentication (required): Any low-privilege authenticated account is sufficient; the injected 'table' parameter is processed without further privilege checks after login. Victim interaction (not-required): The attacker submits a crafted GET request directly; no action from another user or administrator is needed. Attack complexity (info): Exploit complexity is low: the injection point is reliably reachable with no race conditions or special environmental conditions required.

What is the impact of CVE-2026-36670?

An attacker reads all data stored in the database, including SIP alias records, user credentials, and any session or configuration data persisted by opensips-cp. An attacker modifies or deletes persisted database rows, allowing manipulation of SIP routing tables, alias mappings, and user account data. An attacker executes resource-exhausting SQL operations that crash or severely degrade database availability, taking down SIP routing dependent on the control panel. An attacker leverages database-level write primitives to pivot further into the host system if the database user has file-write or command-execution privileges.

Back to search

HIGHCVE-2026-36670Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-36670: A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9

A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the 'table' GET parameter in alias_management.php.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A time-based blind SQL injection vulnerability affects the alias_management module of OpenSIPS Control Panel (opensips-cp) in versions prior to 9.3.3. The flaw is reachable over the network by any authenticated user with a low-privilege account, exploiting the 'table' GET parameter in alias_management.php to inject arbitrary SQL commands. Successful exploitation gives an attacker full read, write, and denial-of-service control over the underlying database. No upstream fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-36670 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle opensips-cp. Any image containing an affected version of the alias_management module is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 8.8 (HIGH) and weighting that score against each environment's compliance policy to determine priority. Triage results are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fixed release is confirmed upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint in alias_management.php is exposed over the network, so an attacker must be able to reach the OpenSIPS Control Panel service via HTTP/HTTPS.
AuthenticationRequired
Any low-privilege authenticated account is sufficient; the injected 'table' parameter is processed without further privilege checks after login.
Victim interactionNot required
The attacker submits a crafted GET request directly; no action from another user or administrator is needed.
Attack complexityDetail
Exploit complexity is low: the injection point is reliably reachable with no race conditions or special environmental conditions required.

Blast Radius

An attacker reads all data stored in the database, including SIP alias records, user credentials, and any session or configuration data persisted by opensips-cp.
An attacker modifies or deletes persisted database rows, allowing manipulation of SIP routing tables, alias mappings, and user account data.
An attacker executes resource-exhausting SQL operations that crash or severely degrade database availability, taking down SIP routing dependent on the control panel.
An attacker leverages database-level write primitives to pivot further into the host system if the database user has file-write or command-execution privileges.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-36670 is active now, with any image bundling an affected opensips-cp version flagged on every scan. Because no upstream patch exists yet, HarborGuard monitors the advisory feed on each ingest cycle and will surface a patched-image rebuild the moment a fix is published by the opensips-cp maintainers. In the interim, recommended compensating controls include applying network policy rules to restrict access to the opensips-cp interface to trusted IP ranges only, enforcing egress filtering on the database connection to limit lateral movement if the host is compromised, and reviewing account access to ensure the minimum number of users hold authenticated sessions against the control panel. For customers with auto-remediation enabled, once a fix version is available, HarborGuard will automatically trigger a rebuilt image, run regression tests, and open a PR against affected workloads without manual intervention.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified